HackTool - EDRSilencer Execution
Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.
Sigma rule (View on GitHub)
1title: HackTool - EDRSilencer Execution
2id: eb2d07d4-49cb-4523-801a-da002df36602
3status: experimental
4description: |
5 Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.
6references:
7 - https://github.com/netero1010/EDRSilencer
8author: '@gott_cyber'
9date: 2024/01/02
10tags:
11 - attack.defense_evasion
12 - attack.t1562
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 - Image|endswith: '\EDRSilencer.exe'
19 - OriginalFileName: 'EDRSilencer.exe'
20 - Description|contains: 'EDRSilencer'
21 condition: selection
22falsepositives:
23 - Unlikely
24level: high
References
Related rules
- Removal Of Index Value to Hide Schedule Task - Registry
- Removal Of SD Value to Hide Schedule Task - Registry
- Potential Suspicious Activity Using SeCEdit
- Diamond Sleet APT Scheduled Task Creation - Registry
- Azure Kubernetes Events Deleted